A while ago I was setting up Azure RemoteApp at a client. After creating the custom image, I was unable to connect to the newly created Azure IaaS virtual machine (VM) with RDP. The below Remote Desktop Connection error popped up:

The error is caused because the 120-day licensing grace period for the Remote Desktop Server role has expired and you need to install licenses. Which in my opinion is really strange because it’s a new VM created from the Windows Server RDSHwO365P image available at the Azure Marketplace. This being said below you can found out how I finally was able to connect to the VM with RDP.

1) First of all, save a local copy of the RDP file from the Azure portal. I saved it under the C:\Temp folder on my laptop

2) Open Windows PowerShell ISE as an Administrator and run the following PowerShell command prompt to connect. This command will disable licensing for just that connection (change AZUTST by your own RDP file name):

1

2

3

## Disable RDP licensing

mstscC:\Users\wimma\Downloads\AZUTST.rdp/admin

Be aware that only 2 connections are possible at the same time when using /admin.

3) Like you can see below, by using /admin I was able to connect to the VM

All VMs that you create in Azure can automatically communicate using a private network channel with other VMs in the same cloud service or VNet. However, other resources on the Internet or resources from other VNets require endpoints to handle the inbound network traffic to those VMs. That’s why when you create a new Azure IaaS v1 VM (Azure Service Manager deployment model), Azure automatically creates two endpoints: Remote Desktop and Windows PowerShell Remoting. Both endpoints consist of a protocol (TCP or UDP) and have a public (for example 54036) and a private (for example 3389) port. The public port is used by the Azure load balancer to listen for incoming traffic to the IaaS VM from the Internet. The private port on the other hand is used by the IaaS VM itself to listen for incoming traffic to an application or service running on the VM.

After the creation of this new VM it’s possible to create additional endpoints if needed. The VM deployment wizard provides pre-defined endpoint configurations not only for Remote Desktop and PowerShell, but also for SSH, FTP, SMTP, DNS, HTTP, POP3, IMAP, LDAP, HTTPS, SMTPS, IMAPS, POP3S, MSSQL and MySQL. If the needed service isn’t in this list, you can also also create your own service endpoint and define the protocols and ports needed.

You can manage and isolate the incoming traffic to the public ports of these endpoints by configuring access control list (ACL) rules. By using ACLs, you can for example, only permit access to a specific service from a set of trusted hosts or networks.

However, for security best practices, it’s always advisable when an IaaS VM is configured and a Site-to-site VPN (S2S) exists, to remove all endpoints you don’t need (like RDP) and only to use them when their really needed (for example to access a IIS hosted website from the Internet on port 443). When the S2S is in place, you can connect to the VM through the use of the standard local RDP port (3389) via the secure IPsec VPN tunnel instead of connecting over the public Internet.

In this blog post I will show you how you can delete the RDP and PowerShell endpoint manually by making use of the Azure Classic Portal (AZGR-DC-01) and how to do it with the use of Azure PowerShell (AZGR-DC-02). So, let’s get started.

4) Like you can see only the Remote PowerShell endpoint still exists, which we also can verify in the Azure Classic Portal

5) To delete the PowerShell endpoint run following cmdlet:

1

2

3

4

5

6

7

## Remove PowerShell Endpoint

Get-AzureVM-ServiceName"AZGR-DC"-Name"AZGR-DC-02"|

Remove-Azureendpoint-Name'PowerShell'|

Update-AzureVM

6) After running this cmdlet no endpoint longer exist for the AZGR-DC-02 VM

That ends the final part of this series. If had a lot of fun while writing these series and I really hope, it’s useful for some people. If someone has any questions about the series or a specific part of it, you can always contact me through my Twitter handle.

From Windows 10, Client Hyper-V supports nested virtualization (basically it means that it allows you to run Hyper-V in a Hyper-V virtual machine), something many people were awaiting for a longtime. It also brings other nice new features to the built-in hypervisor like:

Windows PowerShell Direct

Hot add and remove network adapters and memory

Linux secure boot

Integration Services delivered through Windows Update

A new virtual machine configuration file format .VMCX

I’ve you’re interested in reading more, you can do so via following link:

Because of all those nice improvements I decided to create my new demo and testing environment with it on my notebook. When Client Hyper-V (optional feature) was installed and the VMs for the complete infrastructure were built, I had the ability to connect to those VMs via two mechanisms: the VM console (VMConnect) and Remote Desktop (RDP).

The VM Console provides a single monitor view of the VM with resolution up to 1600 x 1200 in 32-bit color. This console also provides you with the ability to view the VM’s booting process. You can use it by opening the Hyper-V Manager, right clicking a VM, and select Connect…

If you want a richer experience, you can connect to a VM using an RDP connection. Then the VM will take advantage of the capabilities available on your notebook (multi monitor use, full media capability, shared clipboard, USB redirection and much more). You can use it by opening Run and typing mstsc (like everyone probably knows).

Because you’re mostly working with more than one server in a lab environment, it’s not so easy and practical to use the VM Console. Simply because there is no tool available to manage multiple VM Console connections in a tabbed view, which allows you to switch easily between all those running VMs.

When you use RDP instead to connect to those VMs several of such tools (free or paid) are available:

9) If the Windows Firewall is enabled, don’t forget to adjust the necessary Inbound Rules to allow RDP

10) Open mRemoteNG, right click Connections and select “New Connection”. Create two new connections named “GR-DC-01” and “GR-DC-02”. When created fill in all necessary info like shown in the screenshot below (I log in with the local administrator, that’s why I filled in .\ for the domain).

11) Click both connections and you will see that you can use both VMs in a tabbed view by using RDP